A recent government advisory has shed light on a new tactic employed by the operators of the infamous Medusa ransomware. Instead of the usual two payments demanded from victims, one victim was coerced into making three payments, indicating a potential shift towards a triple extortion scheme. The advisory, jointly issued by the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), outlines the modus operandi of Medusa, a global ransomware-as-a-service operation that recruits third-party affiliates to deploy the ransomware and negotiate with victims post-encryption.
These third-party entities, referred to as “Medusa actors” or “initial access brokers,” specialize in breaching victims’ IT defenses through phishing campaigns and exploiting software vulnerabilities such as CVE-2024-1709 and CVE-2023-48788. Once the ransomware is deployed, the Medusa actors employ a double extortion strategy, demanding payments for both decrypting the data and preventing its public release. Victims are often provided with a countdown timer, indicating when their data will be exposed if the ransom is not paid.
In a disturbing development, the advisory highlights a rare incidence where a victim, after paying the ransom, was contacted by another Medusa actor claiming that the initial negotiator had embezzled the payment. The victim was then coerced into making a second payment to obtain the “true decryptor,” hinting at a possible triple extortion scheme where victims’ information is shared among multiple cybercriminals.
Despite the unethical nature of these actions, the affiliates recruited by Medusa’s operators are compensated handsomely, receiving payments ranging from $100 to $1 million to work exclusively with the RaaS crew. This financial incentive encourages the affiliates to demand multiple ransoms, ultimately benefiting the entire Medusa ecosystem.
The advisory also underscores the rising threat posed by Medusa, with at least 300 victims reported across various critical infrastructure sectors. Recent attacks on organizations such as the HCRG Care Group and Gateshead Council in the UK have highlighted the far-reaching impact of Medusa ransomware, with data breaches and exorbitant ransom demands becoming commonplace.
To combat this evolving threat, the advisory recommends storing data in air-gapped locations, implementing network segmentation, utilizing multi-factor authentication, and maintaining prompt patching practices. By following these guidelines, organizations can strengthen their defenses against Medusa and mitigate the risk of falling victim to this malicious ransomware operation.